prepare mgmt-gw container

salt-pillar/hosts/init.sls

@@ -38,6 +38,7 @@ hosts-inet:
     ap30: 10.0.0.70
     ap31: 10.0.0.71
     ap32: 10.0.0.72
+    mgmt-gw: 10.0.0.254
 
   core:
     server1: 172.20.72.1
@@ -68,6 +69,7 @@ hosts-inet:
     priv15-gw: 172.20.72.25
     priv16-gw: 172.20.72.26
     bgp: 172.20.72.27
+    mgmt-gw: 172.20.72.28
 
   pub:
     pub-gw: 172.20.76.1

salt-pillar/lxc-containers/server1.sls

@@ -156,3 +156,11 @@ containers:
         type: veth
         gw: serv-gw
         gw6: serv-gw
+
+  mgmt-gw:
+    interfaces:
+      core:
+        type: veth
+        gw: upstream1
+      mgmt:
+        type: veth

salt/firewall/mgmt-gw.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+if [ "$IFACE" = "{{ interface }}" ]; then
+    iptables -F FORWARD
+    iptables -P FORWARD REJECT
+    iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+    # DNS
+    iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
+    # NTP
+    iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
+    # collectd
+    iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
+fi

salt/firewall/mgmt-gw.sls

@@ -0,0 +1,7 @@
+/etc/network/if-pre-up.d/firewall:
+  file.managed:
+    - source: salt://upstream/mgmt-gw.sh
+    - template: 'jinja'
+    - mode: 744
+    - require:
+        - pkg: iptables

salt/top.sls

@@ -17,10 +17,12 @@ base:
     - forwarding
     - bird
     - dhcp
-  'c3d2-gw or c3d2-anon':
+  'c3d2-gw or c3d2-anon or mgmt-gw':
     - no-ssh
     - forwarding
     - bird
+  'mgmt-gw':
+    - firewall.mgmt-gw
   'bgp':
     - no-ssh
     - forwarding